I'm now using Ubuntu 8.10 with built in encryption. It works like a charme - no patching necessary. Good job Ubuntu!

Prerequisitions

I've a notebook capable of suspend to disk (and to ram) with Linux. Both, suspend to disk and suspend to ram are working out of the box with my Hewlett Packard HP nx6110.

During installation I wrote some notes to a text file. This was the base for this howto. It's possible that something is missing. Feel free to write me (eMail on contact information).

I use the following partition layout:

partition

mount point

/dev/hda5

/

/dev/hda2

/boot

/dev/hda4

swap

/dev/hda6

/home

Table 1: partition layout

Aim

I wanted to encrypt the whole hard disk. Even the suspend to disk image should be written to an encrypted partition.

Encryption of the root filesystem

Just install Ubuntu, the server profile, into /dev/hda4, the later swap. Don't specify swap during installation process, we will introduce it later. Use /dev/hda5 as /boot. /boot will not be encrypted, because the kernel must be read from somewhere ;-)

I'm note sure when this file was introduced. But now the /etc/initramfs-tools/conf.d/cryptroot contains:

CRYPTOPTS="target=cryptroot,source=/dev/hda5"

Update initramfs for changes in cryptdisks.functions, fstab and crypttab:

update-initramfs -u -k 2.6.17-10-generic

Remove the splash option from /boot/grub/menu.lst:

# defoptions=quiet splash

Update grub:

update-grub

Reboot:

reboot

After asking for the LUKS passphrase my system came up with the login prompt. Fine.

Encryption of home

/ (root) and /home were on the same partition. And a fresh installation of Ubuntu was a pain, copying /home to USB disk and back... So I decided to use a separate filesystem for /home.Prepare /dev/hda6, the later /home, for encryption:

Move the content from the old, mainly skeleton files from the freshly by the Ubuntu installation added user, to the new /home:

mv /home/* /mnt/

Because we have an encrypted filesystem now, we can save the key of the /home partition to a plain text file.Create an additional LUKS key:

dd if=/dev/random of=/etc/keys/home.key bs=32 count=1

Add the newly created key to the LUKS partition:

cryptsetup luksAddKey /dev/hda6 /etc/keys/home.key

Add line in /etc/crypttab for encrypted /home:

crypthome /dev/hda6 /etc/keys/home.key luks

Add home entry to /etc/fstab into:

/dev/mapper/crypthome /home ext3 defaults 0 2

Update initramfs for changes in fstab and crypttab:

update-initramfs -u -k 2.6.17-10-generic

Reboot:

reboot

Now you have an encrypted root and home filesystem, the key for /home beeing read from the encrypted root filesystem.

Encryption of swap

Enrypting swap is easy, but all howtos I've seen work with a random key for swap - a little difficult for the kernel to guess ;-)Prepare /dev/hda4, the later swap and suspend to disk device, for encryption:

Ubuntu also needs to know what's its new device for resume.Change RESUME variable in /etc/initramfs-tools/conf.d/resume:

set RESUME=/dev/mapper/cryptswap

Update initramfs:

update-initramfs -u -k 2.6.17-10-generic

Reboot:

reboot

Finished. During boot the system will ask two times for a LUKS passphrase, first for the root devcie and second for the swap device. During resuming from suspend to disk the system will also ask for the two LUKS passphrases.